Insider Threat Best Practices from Industry
Hello, this is George Silowash from the Insider Threat Center at CERT. I had the opportunity to attend RSA Conference 2011 with two of my colleagues, Dawn Cappelli and Joji Montelibano. Insider threat was a popular topic at the conference this year--vendors discussed it in sales pitches, and security practitioner presentations focused on the problem. In addition to being speakers at the conference, staff members from the Insider Threat Center were there to gather ideas of what is being done in industry to address insider threats. This entry describes some of the strategies that organizations are using.
At RSA Conference 2011, we had the opportunity to lead a "Peer2Peer" session titled "Insider Threat: What's Working to Stop These Attacks?" Peer2Peer sessions are limited to 25 attendees, because the objective is interactive information sharing among the group. This small group roundtable helped us learn what practitioners are doing to mitigate the insider threat. Participants were asked to share their tips and tricks so we can all work together to prevent and detect these attacks. Before starting the session, we asked the group if we could share their ideas on our blog so that as many people could benefit from their techniques as possible, and the participants graciously agreed.
Below are the ideas that were discussed during the session. Please note that these views do not necessarily represent CERT opinions or positions. We are sharing them as practices that were effective for participants.
Insider Threat Incident Management
- Build upon an existing workplace violence program to manage insider threat risk
- Many organizations already have workplace violence programs for recognizing and handling potential threat of employee violence in the workplace. One organization has enhanced its workplace violence program to include insider threat indicators, since some employees may choose to act out online rather than by causing physical harm. [Note from CERT: This is an idea we actually developed last year with an organization and will be exploring in the coming months--more detailed guidance to come.]
- Let your employees know you are monitoring their activity
- Several attendees suggested that you do not need to provide the details of the monitoring program. Instead, just let employees and contractors know that activities are being monitored consistently across the organization and will be used to identify potential insider threats as part of the organization's risk management program. [Note from CERT: We would love to get more input on this practice. How many of you are actually doing this? Email us using the feedback link.]
- Some organizations have had success with letting all employees know when someone has been caught violating an organizational policy. Informing your employees may deter others from malicious behavior.
- Find ways to better understand your environment and to further enhance your audit capabilities
- When someone tenders their resignation, activate additional auditing that allows you to monitor what information they are accessing. You will need to work with your legal, IT, and human resources teams to establish a clearly defined policy that protects employee privacy and legal issues.
- Log, monitor, and report when a large number of files are accessed in a short period of time. This can aid in the detection of someone harvesting documents from an internal site.
- Monitor for system access while an employee is on leave or during odd hours.
- Consider using various types of honey pots to detect malicious insiders. The honey pots are specially configured servers that have enhanced auditing enabled to detect rogue employees. These honey pots contain information that might tempt malicious insiders:
- bogus company documents
- accounts that appear to have special meaning or functions
- an appearance that the server performs some critical business function
In addition to these strategies, the roundtable advised that organizations should carefully monitor system administrators or privileged accounts. Several participants identified technical solutions, such as products that manage administrative access to systems by controlling one-time administrative passwords and storing a video recording of all interactive administrative sessions.
Finally, if you do experience an insider incident, conduct an incident post mortem after the investigation is over. Use the post mortem to determine what enabled the incident to occur. Ask the following questions:
- What processes failed?
- Do new processes/policies/procedures need to be created?
- What technical and/or non-technical strategies could reduce the likelihood of this occurring again in the future?
These are some of the strategies that organizations are using to successfully identify and respond to insider threats. If you have other suggestions, please email us using the feedback link.